1st Edition
The Cybersecurity Body of Knowledge The ACM/IEEE/AIS/IFIP Recommendations for a Complete Curriculum in Cybersecurity
The Cybersecurity Body of Knowledge explains the content, purpose, and use of eight knowledge areas that define the boundaries of the discipline of cybersecurity. The discussion focuses on, and is driven by, the essential concepts of each knowledge area that collectively capture the cybersecurity body of knowledge to provide a complete picture of the field.
This book is based on a brand-new and up to this point unique, global initiative, known as CSEC2017, which was created and endorsed by ACM, IEEE-CS, AIS SIGSEC, and IFIP WG 11.8. This has practical relevance to every educator in the discipline of cybersecurity. Because the specifics of this body of knowledge cannot be imparted in a single text, the authors provide the necessary comprehensive overview. In essence, this is the entry-level survey of the comprehensive field of cybersecurity. It will serve as the roadmap for individuals to later drill down into a specific area of interest.
This presentation is also explicitly designed to aid faculty members, administrators, CISOs, policy makers, and stakeholders involved with cybersecurity workforce development initiatives. The book is oriented toward practical application of a computing-based foundation, crosscutting concepts, and essential knowledge and skills of the cybersecurity discipline to meet workforce demands.
Dan Shoemaker, PhD, is full professor, senior research scientist, and program director at the University of Detroit Mercy’s Center for Cyber Security and Intelligence Studies. Dan is a former chair of the Cybersecurity & Information Systems Department and has authored numerous books and journal articles focused on cybersecurity.
Anne Kohnke, PhD, is an associate professor of cybersecurity and the principle investigator of the Center for Academic Excellence in Cyber Defence at the University of Detroit Mercy. Anne’s research is focused in cybersecurity, risk management, threat modeling, and mitigating attack vectors.
Ken Sigler, MS, is a faculty member of the Computer Information Systems (CIS) program at the Auburn Hills campus of Oakland Community College in Michigan. Ken’s research is in the areas of software management, software assurance, and cybersecurity.
Foreword 1
Foreword 2
Author Biographies
Introduction
Chapter 1 Securing Cyberspace Is Everybody’s Business
Introduction: The Current Situation Is Out of Control
The Challenge: How Do You Protect Something that Doesn’t Actually Exist?
We Must Re-evaluate Our Assumptions
The Adversary Changes Thing
The Three-Legged Stool
Learning to Play Better with Others
Creating a Holistic Solution
The Importance of Knowing What to Do
Enabling Common Understanding
Education Is the Key
The Body of Knowledge and Educational Strategy
Cybersecurity as an Academic Study
The Importance of Unified Recommendations about Areas of Vital Interest
Circumscribing the Field: Background and Intention of CC2005
Defining the Elements of the Discipline of Cybersecurity: CSEC2017
Knowledge Area One: Data Security
Knowledge Area Two: Software Security
Knowledge Area Three: Component Security
Knowledge Area Four: Connection Security
Knowledge Area Five: System Security
Knowledge Area Six: Human Security
Knowledge Area Seven: Organizational Security
Knowledge Area Eight: Societal Security
Real-World Utilization of the CSEC2017 Body of Knowledge
CSEC2017 Framework Areas of Application
Thirty Review Questions: Introduction to the CSEC Standard
You Might Also Like to Read
Chapter Summary
Keywords
References
Chapter 2 The Cybersecurity Body of Knowledge 39
Bodies of Knowledge Are Essential Tools in Educational Settings
Bodies of Knowledge
Making Cybersecurity Teaching Real
Validating Curricular Concepts
Applying the CSEC2017
The CSEC2017 Model
The CSEC2017 Organization
The CSEC2017 Implementation Process
Knowledge Area One: Data Security
Knowledge Area Two: Software Security
Knowledge Area Three: Component Security
Knowledge Area Four: Connection Security
Knowledge Area Five: System Security
Knowledge Area Six: Human Security
Knowledge Area Seven: Organizational Security
Knowledge Area Eight: Societal Security
Twenty Review Questions: The Cybersecurity Body of Knowledge
You Might Also Like to Read
Chapter Summary
Keywords
Chapter 3 Data Security
Surviving in a Digital Era
The CSEC2017 Data Security Knowledge Units
Knowledge Unit One: Cryptography
Knowledge Unit Two: Digital Forensics
Knowledge Unit Three: Data Integrity and Authentication
Knowledge Unit Four: Access Control
Knowledge Unit Five: Secure Communication Protocols
Knowledge Unit Six: Cryptanalysis
Knowledge Unit Seven: Data Privacy
Knowledge Unit Eight: Information Storage Security
Chapter Review Questions
You Might Also Like to Read
Chapter Summary
Learning Objectives for the Data Security Knowledge Area
Keywords
References
Chapter 4 Software Security
Building Pathways toward Software Security
The CSEC2017 Software Security Knowledge Units
Knowledge Unit One: Fundamental Principles
Knowledge Unit Two: Design
Knowledge Unit Three: Implementation
Knowledge Unit Four: Analysis and Testing
Knowledge Unit Five: Deployment and Maintenance
Knowledge Unit Six: Documentation
Knowledge Unit Seven: Ethics
Twenty Review Questions for This Chapter
You Might Also Like to Read
Chapter Summary
Learning Objectives for the Component Security
Knowledge Area
Keywords
Reference
Chapter 5 Component Security
It All Starts with the Components
The CSEC2017 Component Security Knowledge Units
Knowledge Unit One: Component Design
Knowledge Unit Two: Component Procurement
Knowledge Unit Three: Component Testing
Knowledge Unit Four: Component Reverse Engineering
Forty Review Questions: Component Security
You Might Also Like to Read
Chapter Summary
Learning Objectives for the Component Security
Knowledge Area
Keywords
Reference
Chapter 6 Connection Security
Introduction: The Challenge of Connecting the Enterprise
The CSEC Connection Security Knowledge Areas
Knowledge Unit One: Physical Media
Knowledge Unit Two: Physical Interfaces and Connectors
Knowledge Unit Three: Hardware Architecture
Knowledge Unit Four: Distributed Systems Architecture
Knowledge Unit Five: Network Architecture
Knowledge Unit Six: Network Implementations
Knowledge Unit Seven: Network Services
Knowledge Unit Eight: Network Defense
Twenty Review Questions: Connection Security
You Might Also Like to Read
Chapter Summary
Learning Objectives for the Connection Security
Knowledge Area
Keywords
References
Chapter 7 System Security
Assembling the Parts into a Useful Whole
The Key Role of Design in Systems
The CSEC2017 System Security Knowledge Units
Knowledge Unit One: System Thinking
Knowledge Unit Two: System Management
Knowledge Unit Three: System Access
Knowledge Unit Four: System Control
Knowledge Unit Five: System Retirement
Knowledge Unit Six: System Testing
Knowledge Unit Seven: Common System Architectures
Seventy Review Questions: System Security 380
You Might Also Like to Read
Chapter Summary
Learning Objectives for the Component Security
Knowledge Area
Keywords
References
Chapter 8 Human Security
Human-Centered Threats
Ensuring Disciplined Practice
The Challenging Case of Human Behavior
The CSEC2017 Human Security Knowledge Units
Knowledge Unit One: Identity Management
Knowledge Unit Two: Social Engineering
Knowledge Unit Three: Personal Compliance
Knowledge Unit Four: Awareness and Understanding
Knowledge Unit Five: Social and Behavioral Privacy
Knowledge Unit Six: Personal Data Privacy and Security
Knowledge Unit Seven: Usable Security and Privacy
Seventy Review Questions: Human Security
You Might Also Like to Read
Chapter Summary
Learning Objectives for the Human Security
Knowledge Area
Keywords
References
Chapter 9 Organizational Security
Introduction Securing the Entire Enterprise
Integrating the Elements of Cybersecurity into an Applied Solution
The CSEC2017 Organizational Security Knowledge Units
Knowledge Area One: Risk Management
Knowledge Area Two: Security Governance and Policy
Knowledge Area Three: Analytical Tools
Knowledge Unit Four: Systems Administration
Knowledge Area Five: Cybersecurity Planning
Knowledge Unit Six: Business Continuity, Disaster
Knowledge Unit Seven: Security Program Management
Knowledge Unit Eight: Personnel Security
Knowledge Unit Nine: Security Operations
Forty Review Questions: Organizational Security
You Might Also Like to Read
Chapter Summary
Learning Objectives for the Organizational Security
Knowledge Area
Keywords
References
Chapter 10 Societal Security
Security and Worldwide Connectivity
The CSEC2017 and the Profession
The CSEC2017 Societal Security Knowledge Units
Knowledge Unit One: Cybercrime
Knowledge Unit Two: Cyber Law
Knowledge Unit Three: Cyber Ethics
Knowledge Unit Four: Cyber Policy
Knowledge Unit Five: Privacy
You Might Also Like to Read
Chapter Summary
Learning Objectives for the Human Security Knowledge Area
Keywords
References
Index
Biography
Dan Shoemaker, PhD, is full professor, senior research scientist, and Program Director at the University of Detroit Mercy’s Center for Cyber Security and Intelligence Studies. Dan is a former chair of the Cybersecurity & Information Systems Department and has authored numerous books and journal articles focused on cybersecurity.
Anne Kohnke, PhD, is an associate professor of cybersecurity and the principle investigator of the Center for Academic Excellence in Cyber Defence at the University of Detroit Mercy . Anne’s research is focused in cybersecurity, risk management, threat modeling, and mitigating attack vectors.
Ken Sigler is a faculty member of the Computer Information Systems (CIS) program at the Auburn Hills campus of Oakland Community College in Michigan. Ken’s research is in the areas of software management, software assurance, and cybersecurity.
Book Foreword:
I have great pleasure in writing this foreword. I have worked with Dan, Anne, and Ken over the past six years as this amazing team has written six books for my book collection initiative. Their newest effort, The Cybersecurity Body of Knowledge: The ACM/IEEE/AIS/IFIP Recommendations for a Complete Curriculum in Cybersecurity, brings together a comprehensive understanding of cybersecurity and should be on the book shelf of every professor, student, and practitioner.
Right now, the study of cybersecurity is pretty-much in the eye of the beholder because the number of interpretations about what ought to be taught is limited only by the number of personal agendas out there in the field.
Through discussion with the team, I've learned that every well-established discipline of scholarship and practice has gone through the process of research, extensive discussions, formation of communities of practice, and thought leadership to continually build the body of knowledge. Over time, diverse voices put forth ideas, concepts, theories, and empirical evidence to advance the thinking and in every discipline there comes a time when thought leaders establish generally accepted standards based on a comprehensive view of the body of knowledge.
I believe that time has come for the discipline of cybersecurity.
Beginning with a narrow focus on computer security, the discipline has advanced tremendously and has accurately become known as a fundamentally computing-based discipline that involves people, information, technology, and processes. Additionally, as the global cyber infrastructure increases the possible targets, the interdisciplinary nature of the field includes aspects of ethics, law, risk management, human factors, and policy. The growing need to protect not just corporate information and intellectual property, but to maintain national security has created a demand for specialists across a range of work roles, with the knowledge of the complexities of holistically assuring the security of systems. A vision of proficiency in cybersecurity, that aligns with industry needs and involves a broad global audience of stakeholders, was needed to provide stability and an understanding of the boundaries of the discipline.
The formation of the CSEC2017 Joint Task Force - involving four major international computing societies: the Association of Computing Machinery (ACM), the IEEE Computer Society (IEEE CS), the Association for Information Systems Special Interest Group on Information Security and Privacy (AIS SIGSEC), and the International Federation for Information Processing Technical Committee on Information Security Education (IFIP WG 11.8) - came together to publish the single commonly accepted guidelines for cybersecurity curriculum (the CSEC2017 Report). The CSEC2017 Report authors have produced a thought model and structure in which the comprehensive discipline of cybersecurity can be well understood. With this understanding, development within academic institutions and industry can prepare a wide range of programs grounded in fundamental principles.
This book explains the process by which the CSEC2017 Report was formulated and its pedigree. It discusses the knowledge units of each of the eight knowledge area categories of the field in detail. The reader will understand the required knowledge for cybersecurity and gain a basic understanding of the application and purpose of each of these myriad elements.
I have studied the various chapters and believe the seamless flow of the content will benefit all readers and that the extensive use of visuals greatly improves readability. Although knowledge knows no end, dissemination and sharing of knowledge are critical. I believe this book will help form the foundation of the next evolution of cybersecurity and I congratulate the team on their work and their amazing result.
Dan Swanson
Series Editor
Reviews:
"The Cybersecurity Body of Knowledge
is a technical but readable guide to the eight areas that make up the core cybersecurity areas. Rather than treating the book as a knowledge dump of everything cybersecurity, the authors present the essential cybersecurity elements readers need to know.Cybersecurity knowledge cannot be conveyed in a single volume. In fact, the cybersecurity curriculum guidelines developed by the JTF run to more than 100 pages. Those looking for a comprehensive roadmap to effectively begin their cybersecurity journey will find that The Cybersecurity Body of Knowledge is an excellent guide."
Reviewer: Ben Rothke, CISSP (Certified Information Systems Security Professional), is a senior information security specialist with Tapad, Inc.
https://www.asisonline.org/security-management-magazine/articles/2021/01/book-review-the-cybersecurity-body-of-knowledge/